cyber assured systems engineering

© 2020 Collins Aerospace

C YB E R A S S U R E D S YS TE M S E N G I N E E R I N G W I T H A A D L

D A R R E N C O F E RF E L L O W / T R U S T E D S Y S T E M SD A R R E N . C O F E R @ C O L L I N S . C O M

Approved for public release. Distribution is unlimited.

A A D L / A C V I P U S E R D A Y S4 F E B R U A R Y 2 0 2 1

1


C O L L I N S - L E D D A R P A C Y B E R A S S U R E D S Y S T E M S E N G I N E E R I N G ( C A S E ) P R O J E C T

TEAM

• Collins Aerospace• Architectural transformations for cyber-resilience• Component synthesis and proofs• Formal analysis and assurance case• Tool integration

• Data 61• seL4 formally verified secure microkernel for memory protection• Formally verified components (seL4, CakeML language)

• University of Kansas• Formally verified attestation for distributed computing platforms

• Adventium• Real-time scheduling• AADL modeling and code generation

• Kansas State University• Automatic code generation from architecture models with proof of equivalence• Information flow analysis

2Approved for public release. Distribution is unlimited.


• Integrated model-based systems engineering tool suite based on Architecture Analysis & Design Language (AADL) models

• Transform system design to satisfy cyber-resiliencyrequirements

• Generate new high-assurance components from formal specifications

• Verify system design using formal methods and document evidence/compliance with assurance case

• Generate software integration code directly from verified architecture models, targeting multiple operating systems (including seL4)

BR I E FCASE TOOL CAPABIL IT IES

SAE AS5506 STANDARD


Why AADL?• Sufficiently rigorous semantics to support analysis• Correct level of abstraction (supports construction)• OSATE supports addition of new capabilities


3 TECHNOLOGY PILLARS

MBSECModel-Based Systems

Engineering for Cybersecurity

CY-RESArchitectural Transformations

for Cyber-Resiliency PROOFEnd-to-End Integrated

Formal Verification

TransformedModels

seL4Capabilities

Assurance Case

ArchitectureModel

Verified Components

ComponentSpecs

4

1. Developer assistance to implement cyber-resiliency• Automated architecture transforms for threat mitigation• High assurance components generated from specifications• Techniques to deal with legacy code (cyber retrofit)

2. MBSE environment for high-assurance cyber-resilient system development

• Build system directly from detailed, verified AADL model• Makes the security guarantees of seL4 accessible to system

developers• Ability to target different platforms to facilitate incremental

debugging/development

3. Integration of formal verification/proof• Formal verification of functional and cyber-resiliency properties,

information flow properties, component proofs• Code generation equivalence to model, seL4 build preserves

properties• Integrate evidence as an assurance case demonstrating how/why

requirements are satisfied



BR IEFCASE TOOL ARCHITECTURE

OSATEAADL model

HAMR plugin Cyber Transform

plugin

AGREE

Resolute

SPLAT

CAmkES input model

TA1 pluginCyber Reqtsplugins

CAmkES

UAV exe

seL4 capDL

C compiler CakeMLcompiler

Component implementation

and glue *.c files

Solvers

System Build

evidence


and glue CakeML files

6

UAV exe

Linux

SystemModelingEnvironment

High-Assurance Code GenerationTools



ARCHITECTURAL TRANSFORMATIONS FOR CYBER-RESIL IENCY

OSATEAADL model


plugin

AGREE

Resolute

SPLAT

CAmkES input model


CAmkES

UAV exe

seL4 capDL



and glue *.c files

Solvers

System Build

evidence



7

UAV exe

Linux



1. CY-RES



• Choose one of the Cyber Requirements generation tools

• CRA GearCASE plugin• Vanderbilt/DOLL DCRYPPS plugin

• Initial model data is exported to selected tool

• Requirements import wizard manages the generated requirements

• Select action• Naming/tagging• Associate with formal properties

• Requirements inserted into model as Resolute goals (GSN)

• We will build an assurance argument to satisfy these goals

1 . GENERATE / IMPORT CYBER REQUIREMENTS

DCRYPPS GearCASE

Candidate Cyber

Requirements

Inse

rt G

oals

in

to M

odel



• Cyber requirements tools provide model context and sometimes suggested mitigation

• System engineer selects from available cyber-resiliency transformations

• Filter• Monitor• Gate (controlled by monitor)• Attestation• Virtualization• seL4 build prep

• Wizard interface collects needed configuration data

• Tool automatically transforms AADL model

• Also adds Resolute assurance case strategy to show how the associated goal (requirement) is satisfied

2 . APPLY CYBER TRANSFORMATIONS

PROC

VMFILTIN OUT

IN1

MONALERT

IN2 GATEINOUT

CTL

AMID

REQ

RSP



• Resolute links cyber transform to goal as a GSN strategy• Checks for violations/changes that impact correctness• Collects evidence and generates assurance case

2A. INSERT ASSURANCE CASE STRATEGY



• Some of the cyber transforms insert new high-assurance components into the model

• The behavior of the component (its contract) is specified in AGREE

• SPLAT generates component implementations from their specifications

• SPLAT also generates a proof showing that the component implements its specification

3 . GENERATE HIGH ASSURANCE COMPONENTS

SPLAT

CCakeML

Proof• Other components (such as the Attestation Manager) are pre-built pre-verified libraries

• Their implementations are essentially library functions that are added to the build, possibly with some configuration data from the model



Hardware

• How can we deal with legacy code/systems?• Example: UxAS

• Open source, less trusted• Not designed for cybersecurity• Written in C++

USE CASE : “CYBER RETROFIT”

C

B

D

A

Operating System (Linux, etc.)

WPM WPM

MON

FILT

Secure Microkernel (seL4)Virtual Machine

1. Virtualize legacy system• Support for multiple VMs, if needed

2. Host on seL43. Extract/harden critical components4. Filter inputs5. Monitor outputs



MODEL-BASED SYSTEMS ENGINEERING FOR CYBERSECURITY

OSATEAADL model


plugin

AGREE

Resolute

SPLAT

CAmkES input model


CAmkES

UAV exe

seL4 capDL



and glue *.c files

Solvers

System Build

evidence



14

UAV exe

Linux



2. MBSEC



M O D E L - B A S E D S Y S T E M S E N G I N E E R I N G F O R C Y B E R S E C U R I T Y

MBSEC

• The model IS the system • It is not just a picture for communication, or a way to capture

requirements, or a means to perform analyses • It is all of those things, but it is also how we will actually

build the system, and do so in a way that ensures compliance with the design captured in the model

• Rationale for AADL• Provides the necessary precision and semantics for building

real-time distributed embedded software systems• MBSE for seL4

• Furthermore, we are bridging the gap between systems engineers and the formally verified seL4 microkernel

• Ensure usability by systems engineers and promote successful transition

• HAMR• High Assurance Modeling for Rapid Engineering• Code generation from AADL models

AADL



H A M R A N D S E L 4

SOFTWARE INFRASTRUCTURE

• HAMR is a multi-stage translation architecture to address CASE goals of component migration between platforms and information flow control

• Semantic consistency from model to execution• Ensures model-level analysis applies to deployed code• Same computational model across different platforms• Build for multiple target platforms:

• seL4 / Linux / Virtual Machine• Build for workstation / emulator / embedded platform

AADL

Por

t Com

m S

ervic

e Ab

s La

yer

Application Code

AADL

Infra

stru

ctur

e Po

rt Co

mm

unica

tion

Abs

Laye

r

Plat

form

Com

m

Infra

stru

ctur

e

Prog

Lan

guag

e AA

DL P

ort

Com

m A

bs L

ayer

Platform Thread Infrastructure

AADL Thread Infrastructure Abs Layer

AADL Thread Entry Points/ Dispatch Logic

Prog

Lan

guag

e AA

DL P

ort

Com

m A

bs L

ayer

AADL

Por

t Com

m S

ervic

e Ab

s La

yer

AADL

Infra

stru

ctur

e Po

rt Co

mm

unica

tion

Abs

Laye

r

Plat

form

Com

m

Infra

stru

ctur

e

HAM

Rco

de

gene

ratio

n

seL4 is…• An operating

system microkernel• A hypervisor• Proved correct• Provably secure• Fast

• seL4 microkernel guarantees partitioning of components and communication, backed by computer-checked proofs

• seL4 guarantees no infiltration, exfiltration, eavesdropping, interference, and provides fault containment for untrusted code

16



HAMR SUPPORTS MULTIPLELANGUAGE/ PLATFORM COMBINATIONSThe flexibility of being able to easily shift between different platforms was quite useful as the team experimented with building the Phase 2 Experimental Platform assessment deliverable.

JVM/Slang – data types, port constraints, basic aspects of application logic, initial unit testing – some mocked up components, many useful visualizations

Linux C – compile Slang to C, or manually code C, and debug C implementation, VMs mocked up

seL4 C / Qemu – C application code easily ports to seL4 native components, add in VMs, test/simulate/debug in QemuseL4 C / board – seL4 build shifted to actual hardware for final testing and deployment

AADL / OSATE – design model, types, perform analyses

17Approved for public release. Distribution is unlimited.Adventium / Kansas State


HAMR ABSTRACTION LAYERS

AADL

Por

t Com

m

Serv

ice A

bs L

ayer Application

Code

AADL

Inf

rast

ruct

ure

Port

Com

mun

icatio

n Ab

s La

yer

Plat

form

Com

m

Infra

stru

ctur

e

Prog

Lan

guag

e AA

DL

Port

Com

m A

bs L

ayer

… …

Platform Thread InfrastructureAADL Thread Infrastructure Abs Layer

AADL Thread Entry Points/ Dispatch

Logic

T1

T2

P1P2P3P4

T3

Prog

Lan

guag

e AA

DL

Port

Com

m A

bs L

ayer

AADL

Por

t Com

m

Serv

ice A

bs L

ayer

AADL

Inf

rast

ruct

ure

Port

Com

mun

icatio

n Ab

s La

yer

Plat

form

Com

m

Infra

stru

ctur

e

Port communication APIs

Threading APIs



APPLICATION LOGIC

Unit hamr_SW_WaypointPlanManagerService_thr_Impl_Impl_timeTriggered_(STACK_FRAMEhamr_SW_WaypointPlanManagerService_thr_Impl_Impl this) {bool dataReceived = false;size_t numBits = 0;uint8_t payload[MAX_PAYLOAD];

dataReceived = api_get_ReturnHome__hamr_SW_WaypointPlanManagerService_thr_Impl_Impl(this);if (dataReceived) {

returnHome = true;}

if (returnHome || automationResponse != NULL) {dataReceived = api_get_AirVehicleState__hamr_SW_WaypointPlanManagerService_thr_Impl_Impl(

this, &numBits, payload);if (dataReceived) {

air_vehicle_state_in_event_data_receive_handler(this, payload);}

}}

Standardized entry point for HAMR / AADL periodic threads (skeleton auto-generated)

Use of auto-generated API for input event port

Use of auto-generated API for input event data port

Note: Same C APIs are used for seL4 native, seL4 VM (as an option), and Linux. These mirror the structure of Slang and CakeML APIs.



• Define rules in Resolute that correspond to modeling guidelines

• Group rules into rulesets corresponding to organizational process, customer requirements, certification guidelines, and tool constraints

• Automatically check compliance with modeling guidelines in OSATE

RESOLINT: L INTER TOOL FOR AADL MODELS

22

Modeling Guidelines



END-TO-END INTEGRATED FORMAL VERIFICATION

OSATEAADL model


plugin

AGREE

Resolute

SPLAT

CAmkES input model


CAmkES

UAV exe

seL4 capDL



and glue *.c files

Solvers

System Build

evidence



23

UAV exe

Linux



3. PROOF



END-TO-END INTEGRATED FORMAL VERIFICATION

system properties

architecture properties

high-assurance components legacy components

HAMR correspondence proof

CAmkES translation proof

seL4 initializer proof

seL4 proof

assurance case



AADL

BRIDGING THE GAPW I T H P R O O F S


seL4 integrity policy (access control) is enforced on a running system.

1

seL4 system initializer constructs system whose capabilities and objects conform tocapDL specification

2CAmkEStranslates system description into capDL spec

3 HAMR translates AADL model into CAmkES system description

4


HAMR CORRESPONDENCE PROOF CONCEPT

4

AADL Model

ComponentHAMR generates a topological structure using Alloy relations

Port

Connection

4

HAMR Generates Traceability Information

Com

pone

nt

Trac

eabi

lityPo

rt Tr

acea

bilit

y

Application code for

component

Port

Connection

Executable Code and Configuration Information

HAMR generates a topological structure using Alloy relations

Observation point in code associated with port input

Observation point in code associated with port output

Flow-path in code corresponding to realization of communication for connection

FlowPreservation (formal spec in Alloy): For every connection between two components in AADL, there is a flow path in the source code between code artifacts associated with the ports.

NoNewFlows (formal spec in Alloy): For every flow path between two components in the source code, there is a connection in the AADL model between corresponding ports.

Kansas State26Approved for public release. Distribution is unlimited.


A F R L U X A S A U T O N O M O U S M I S S I O N P L A N N E R

P H A S E 2 U AV D E M O N S T R AT I O N

• Ground Station sends automation requests to UAV• UAV Mission Computer processes requests and

generates flight plans• UAV Flight Control Computer computes guidance

commands to follow current segment of flight plan

27

• CASE evaluation team developed cyber attacks on baseline platform

• Collins team hardened platform using BriefCASE tools

• Evaluation team attacks ineffective against hardened platform

M A R T I N S U P E R - B A T

P I C C O L OF C C

O D R O I D - X U 4M I S S I O NC O M P U T E R

G R O U N D S T A T I O NApproved for public release. Distribution is unlimited.


ATTACKS / MIT IGATION

GND STN

All UAV software runs on formally verified seL4 secure kernelUxAS software isolated in Linux virtual machine (cyber retrofit)Specific attacks from evaluation team mitigated:1. Malformed messages blocked by high-assurance filter2. High-assurance geofence monitor detects plan that violates KeepOutZone

and sends alert to WaypointManager to trigger return to baseResponse monitor detects crashed UxAS planner and alerts operator

3. Remote attestation measures ground station software and detects modified code

Trojans added to UxAS PlanBuilderServiceReplaces AutomationResponse with plan that violates KeepOutZone

2

Malformed ground station messages

1

UAV MISSION COMPUTER

28

Code added to ground station software to generate malicious requests

3



H T T P : / / L O O N W E R K S . C O M / P R O J E C T S / C A S E

CASE PHASE 2 DEMO VIDEOS

Approved for public release. Distribution is unlimited.29

This video provides a demonstration of the BriefCASE tool environment, showing how to use the tools to address multiple cyber-resiliency requirements for a UAV mission computing system (22:35).

In part two, we run the hardened UAV mission computing system built in the first video and test it against several cyber attacks to show the effectiveness of the approach (10:13).

https://youtu.be/sOVs959q_lI

https://youtu.be/Ue0HHdL52-w


B A S E L I N E S Y S T E M ( P H Y S I C A L )

CASE PHASE 3 DEMONSTRATION

• Collins Common Avionics Architecture System (CAAS)• Goal : Extend (securely) to add wireless connectivity• Idea : Repurpose one of the mission processing modules (VPM) to act as guard using BriefCASE AADL tools

30

VPM VDTUMC1ADSB TAC-SVS

PSM1

SwitchDigital switch

on PSM1

Other CAAS

WirelessRouter

PilotTablet1

SoldierTablet2



H A R D E N E D S Y S T E M

CASE PHASE 3 DEMONSTRATION

31

VDTUMC1VPMADSB TAC-SVS

PSM1

SwitchDigital switch

on PSM1

PilotTablet1

Other CAAS

SoldierTablet2

Wireless Router

• Filter messages to/from tablets• Attestation of tablet(s)• Monitor ADSB traffic for spoofing• seL4 hosting Android

• Attestation

VDTU

• Virtualization for legacy functions



• Developer assistance to implement cyber-resiliency• Automated architecture transforms for threat mitigation• High assurance components generated from specifications• Techniques to deal with legacy code (cyber retrofit)

• MBSE environment for high-assurance cyber-resilient system development

• Build system directly from detailed, verified AADL model• Makes the security guarantees of seL4 accessible to system developers• Ability to target different platforms to facilitate incremental

debugging/development

• Integration of formal verification/proof• Formal verification of functional and cyber-resiliency properties, information

flow properties, component proofs• Code generation equivalence to model, seL4 build preserves properties• Integrate evidence as an assurance case demonstrating how/why

requirements are satisfied

CONCLUSION

MBSECModel-Based Systems

Engineering for Cybersecurity

CY-RESArchitectural Transformations

for Cyber-Resiliency

PROOFEnd-to-End Integrated

Formal Verification

32

Open-source tools : GitHub.com/Loonwerks/formal-methods-workbenchDemo video : Loonwerk.com/projects/case.html


cyber assured systems engineering

Documents